{
return make_shared<dcp::CertificateChain> (
openssl_path(),
+ CERTIFICATE_VALIDITY_PERIOD,
"dcpomatic.com",
"dcpomatic.com",
".dcpomatic.smpte-430-2.ROOT",
}
}
- optional<BadReason> bad;
-
- for (auto const& i: _signer_chain->unordered()) {
- if (i.has_utf8_strings()) {
- bad = BAD_SIGNER_UTF8_STRINGS;
- }
- }
-
- if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
- bad = BAD_SIGNER_INCONSISTENT;
- }
-
- if (!_decryption_chain->chain_valid() || !_decryption_chain->private_key_valid()) {
- bad = BAD_DECRYPTION_INCONSISTENT;
- }
-
+ auto bad = check_certificates ();
if (bad) {
auto const remake = Bad(*bad);
if (remake && *remake) {
switch (*bad) {
case BAD_SIGNER_UTF8_STRINGS:
case BAD_SIGNER_INCONSISTENT:
+ case BAD_SIGNER_VALIDITY_TOO_LONG:
_signer_chain = create_certificate_chain ();
break;
case BAD_DECRYPTION_INCONSISTENT:
}
}
+
+optional<Config::BadReason>
+Config::check_certificates () const
+{
+ optional<BadReason> bad;
+
+ for (auto const& i: _signer_chain->unordered()) {
+ if (i.has_utf8_strings()) {
+ bad = BAD_SIGNER_UTF8_STRINGS;
+ }
+ if ((i.not_after().year() - i.not_before().year()) > 15) {
+ bad = BAD_SIGNER_VALIDITY_TOO_LONG;
+ }
+ }
+
+ if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
+ bad = BAD_SIGNER_INCONSISTENT;
+ }
+
+ if (!_decryption_chain->chain_valid() || !_decryption_chain->private_key_valid()) {
+ bad = BAD_DECRYPTION_INCONSISTENT;
+ }
+
+ return bad;
+}
+